I enabled telnet on a server on Friday...For about an hour. Running across a tunnel. If you work with enough legacy crap, you still need it, every now and again.
–
SatanicpuppyApr 26 '10 at 20:15

1

What's worse is... you don't need legacy crap at all. Just buy (recent!) Cisco VOIP appliances, and listen to Cisco consultants proudly saying "we don't support crypto features on these routers' IOS because it's not needed and would slow things down". Because, yes, according to Cisco, SSH console access and full IPSEC support are exactly the same thing. And you need a full crypto-enabled IOS to use SSH instead of Telnet.
–
MassimoApr 26 '10 at 20:34

14 Answers
14

I think most of the bad behaviours of sysadmins is due to the fact that they forget the golden rule:

A sysadmin is there to support the users, not the other way around.

I have beaten this lesson into plenty of new recruits by now, but many new in the field doesn't quite understand how important it is. From this simple rule comes the philosphy when working as a sysadmin:

Never, ever, do a risky change on a production system outside maintanance windows

If it's new and shiny it's not going into production.

If it's old and broken it's not going into production.

If it's not documented you don't get paid for it.

Changes that shifts work load to the users are not worth it.

It's your responsibility to keep it running, no matter what the user is doing.

And from here you can trace the typical bad behaviours of unskilled sysadmins

Actually, the golden rule is that the sysadmin is there to support the company. Usually this means supporting the users, but it also occasionally encouraging users to stop less productive behaviors.
–
David MackintoshApr 27 '10 at 3:19

@David I would like to agree with you, but the company is often ill-defined and ends up being middle management. And a sysadmin often has to take a fight with middle management to do what is better for everybody. So I prefer the phrasing that they are there to support the users. Obviously supporting users can mean showing them a better way to do stuff... ;)
–
pehrsApr 27 '10 at 7:14

It is... and a very common one, if you ask me.
–
chmeeeApr 26 '10 at 16:52

1

That's why you need to have a security policy. Get all that discussion and management chain understanding done up front. Then if it gets overruled, you at least get it in writing.
–
mpez0Apr 26 '10 at 20:07

1

In most environments, security must be balanced with convenience. It's a mistake to always treat users like they're trying to break your systems...They do have legitimate needs.
–
SatanicpuppyApr 26 '10 at 20:17

1

yeah, damn users. They'll be wanting the network cable plugged back in next ... don't they understand how to truly secure a server!?!!!?
–
gbjbaanbApr 26 '10 at 23:21

2

I work in a school district. You wouldn't believe the software that crosses our path and the requests to "make it work", and often it does involve breaking permissions or other workarounds. Teenagers mistreat the equipment in many strange and mysterious ways.
–
Bart SilverstrimApr 27 '10 at 2:28

We have our share of those around here. I keep trying to get everyone to switch to Python. At least then you get a consistent style and don't have to hunt down as many modules to do anything.
–
3dinfluenceApr 26 '10 at 17:34

I overheard a developer say "it was difficult to write, so it SHOULD be difficult to maintain!" Needless to say, he was soon writing difficult to maintain code elsewhere!
–
BillNApr 26 '10 at 20:30

I have a bad habit of getting frustrated enough at the security "fixes" in Windows that I'll blindly add sites to a trusted site list or lower security enough that IE8/XP/Vista/etc. stops pestering me while I'm trying to get something done and I'm fairly sure I'm going to the right place and downloading the right file. I know it's supposed to make you more secure to rethink your actions, but quite frankly, click click click click makes me nuts nuts nuts and eventually the warnings all blur together until I don't pay attention to site certificate errors (it's our own self-signed, right?...well, probably...) and other times it's asking me stupid things that should have been enabled by default (yes, I really did mean to go to Windows Update, and I do want security settings to allow Microsoft's own update site to run, thank you...)

Firefox is nice, often use it, but it won't run Windows Updates on those occasions where the WSUS server isn't giving feedback on what the @#$ it's doing in the background, or it acts like it has all the updates installed and I try the manual WinUpdates from IE and HEY ANOTHER ROUND OF UPDATES! And my favorite, it finds updates from the WSUS server as it is downloading them from Windows Updates! Whoever designed that system is allergic to the idea of giving the user feedback or, when necessary, manual control...@#%#@!!
–
Bart SilverstrimApr 28 '10 at 0:57

I have to fight against this mentality where I'm at as well.
–
3dinfluenceApr 26 '10 at 19:03

Or the converse: We'll apply every patch there is, whether it's required or not. Then end up with more vulnerabilities and instability as a result of those patches.
–
John GardeniersApr 26 '10 at 21:47

That's AV definitions. Can't agree with you on this. They are by their installed without manual approval, and are time-critical. The saddest thing to come from the recent McAfee gaf is that a number of organisations will probably undertake absurd measures like pre-testing every AV definition update they push out. Knee-jerk madness.
–
Chris ThorpeApr 26 '10 at 23:48

I linked to a convenient example but I'm referring to any changes to production machines that are untested. It's unfortunate that an anti-virus vendor caused a problem this time but it's not the first time this has happened. If you have a proper test facility it's a simple matter to make sure the change gets applied there first and a simple smoke test is run. It's a small price to pay to honor your SLAs.
–
Chris NavaApr 27 '10 at 1:24

It's also a simple matter to delay the install by just a few hours so that you can hit the kill switch if the interwebs report problems.
–
Chris NavaApr 27 '10 at 1:25

I've always been concerned with this, I operating probably 70+ Linux servers, all which i have my user account, but is there an actual alternative to attempting to memorize a retarded amount of passwords?
–
GruffTechApr 27 '10 at 22:24

Use certs to authenticate with SSH, but yeah, it's a pain. I use passphrases that I can easily remember for the servers I login to often, and use KeyPass for the ones I don't and therefore won't remember.
–
gravyfaceApr 28 '10 at 1:30

Moral of the story: when Perl was the only interpreted language in town, everybody was writing Perl, and many people who were not programmers were writing crappy Perl. Now more and more people are picking up Python, so more and more crappy Python programs are being written. Or Powershell, or ..., or ...

So please stop spreading FUD about Perl, it's not the language, it's the coder.

Perhaps not a true habit but how about habitually expecting senior managers to have and/or use a brain? Or believing programmers have a basic understanding of the machine and OS they're programming for?